b' OFFICE OF INSPECTOR GENERAL\n\n                  Audit Report\n\n The Railroad Retirement Board\xe2\x80\x99s Progress in Implementing\nFederal Information Security Management Act Requirements\n\n\n\n                   Report No. 10-08\n                    May 19, 2010\n\n\n\n\n    RAILROAD RETIREMENT BOARD\n\x0c                                         TABLE OF CONTENTS\n\nIntroduction\xc2\xa0\n  Background ................................................................................................................. 1\xc2\xa0\n  Objective...................................................................................................................... 2\xc2\xa0\n  Scope .......................................................................................................................... 2\xc2\xa0\n  Methodology ................................................................................................................ 2\n\nResults of Evaluation\xc2\xa0\n  Certification and Accreditation ..................................................................................... 3\xc2\xa0\n  Access Controls ........................................................................................................... 4\xc2\xa0\n  Privacy ......................................................................................................................... 5\xc2\xa0\n  Risk Assessment ......................................................................................................... 6\xc2\xa0\n  Policies and Procedures .............................................................................................. 7\xc2\xa0\n  System Security Plans ................................................................................................. 7\xc2\xa0\n  Training........................................................................................................................ 8\xc2\xa0\n  Testing and Evaluation ................................................................................................ 8\xc2\xa0\n  Remedial Action Process ............................................................................................. 9\xc2\xa0\n  Incident Handling and Reporting ............................................................................... 10\xc2\xa0\n  Continuity of Operations ............................................................................................ 10\xc2\xa0\n  Inventory of Systems ................................................................................................. 11\n\nAppendix\xc2\xa0\n  Appendix I Important Outstanding Audit Recommendations .................................... 12\xc2\xa0\n\n\n\n\n                                                                 i\n\x0c                                           INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\nthe Railroad Retirement Board\xe2\x80\x99s (RRB) progress in implementing Federal Information\nSecurity Management Act (FISMA) requirements. 1\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct and the Railroad Unemployment Insurance Act. These programs provide income\nprotection during old age and in the event of disability, death, temporary unemployment\nor sickness. The RRB paid over $10.8 billion in benefits during fiscal year (FY) 2009.\nThe RRB is headquartered in Chicago, Illinois and has 53 Field Offices across the\nnation.\n\nFISMA requires each agency to develop, document, and implement an agencywide\ninformation security program for the information and information systems that support\nthe operations and assets of the agency. Such a program includes:\n\n      \xc2\xbe   periodic assessments of risk;\n      \xc2\xbe   risk-based policies and procedures that ensure information security is addressed;\n      \xc2\xbe   developing and implementing system security plans;\n      \xc2\xbe   security awareness training for personnel, contractors, and other users of the\n          information system;\n      \xc2\xbe   periodic testing and evaluation of the effectiveness of the information security\n          policies, procedures, and practices;\n      \xc2\xbe   a process for planning, implementing, evaluating, and documenting remedial\n          action to address any deficiencies;\n      \xc2\xbe   procedures for detecting, reporting, and responding to security incidents;\n      \xc2\xbe   plans and procedures to ensure the continuity of operations; and\n      \xc2\xbe   developing and maintaining an information systems inventory.\n\nFISMA also requires annual agency program reviews, Inspector General security\nevaluations, an agency report to the Office of Management and Budget (OMB), and an\nOMB report to Congress. Additionally, OMB requires an annual report of agency\nactivities performed in accordance with the Privacy Act, and an Inspector General\nassessment of the agency\xe2\x80\x99s privacy program and privacy impact assessment process. 2\n\nPast audits and evaluations by the OIG and contractors hired by the OIG have\ndisclosed weaknesses throughout the RRB\xe2\x80\x99s information security program, including\nsignificant deficiencies in access controls over both the mainframe and LAN\nenvironments; training provided to staff with significant security responsibilities; delays\nin meeting FISMA requirements for both risk assessments, and periodic testing and\n1\n    FISMA was enacted as Title III, E-Government Act of 2002, P.L. 107-347.\n2\n    The Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a.\n\n\n                                                    1\n\x0cevaluation; and the internal control over the certification and accreditation process due\nto an ineffective review process for contractor deliverables.\n\nThe RRB has addressed the significant deficiencies for training, risk assessments and\nperiodic testing and evaluation, but the significant deficiencies for access controls and\nthe internal control over the certification and accreditation process continue to exist.\n\nThe Bureau of Information Services (BIS), under the direction of the Chief Information\nOfficer (CIO), is responsible for the RRB\xe2\x80\x99s information security and privacy programs.\nFISMA requires agencies to report any significant deficiency as a material weakness\nunder the Federal Managers\xe2\x80\x99 Financial Integrity Act. 3\n\nObjective\n\nThe objective of this evaluation was to determine the progress made by the RRB in\nimplementing the information security program required by FISMA.\n\nScope\n\nThe scope of this evaluation was the RRB\xe2\x80\x99s information security program from FY 2000\nto FY 2009, and the status of agency actions to correct or mitigate previously reported\ninformation security weaknesses as of March 23, 2010. Such status is determined after\nan OIG review of agency corrective actions, and an OIG decision to close the audit\nrecommendation as implemented.\n\nMethodology\n\nTo accomplish our objective we reviewed our prior reports to identify previously reported\nweaknesses and the corresponding OIG audit follow-up records, including\ndocumentation previously submitted through the audit follow-up process. Additionally,\nwe conducted interviews of agency staff, and obtained and reviewed documentation to\nsupport significant accomplishments made by the RRB, as necessary. Our work did not\ninclude any assessments against new or previously established criteria.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. Fieldwork was conducted at RRB headquarters in Chicago, Illinois,\nfrom January 2010 through April 2010.\n\n\n\n\n3\n    The Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982, 31 U.S.C. \xc2\xa7 3512.\n\n\n                                                      2\n\x0c                                   RESULTS OF EVALUATION\n\nOver the past ten years, the RRB has made significant progress in implementing an\ninformation security program that meets the requirements of FISMA. Since FY 2000,\nthey have made steady progress in correcting previously reported deficiencies in their\ninformation security and privacy programs. Additionally, the RRB is currently\naddressing important outstanding audit recommendations that will continue to\nstrengthen the overall security and privacy programs.\n\nMany of the FISMA required elements did not exist or were inconsistently enforced\nwhen the OIG first began evaluating the RRB\xe2\x80\x99s information security program. Since\nFY 2000, the OIG has made over 325 audit recommendations for improvement. As of\nMarch 23, 2010, the RRB has implemented 234 of these audit recommendations,\nresulting in every FISMA required element to be addressed. Appendix I lists important\noutstanding recommendations that require additional action by agency personnel to\nensure all FISMA requirements are in place and effectively operating on a consistent\nbasis.\n\n\n          Audit Recommendations by Fiscal Year\n    350\n    300\n    250                                                                            The RRB has made\n    200                                                                            steady progress in\n    150                                                                            implementing audit\n    100                                                                            recommendations.\n     50\n      0\n          2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010\n\n          Number Implemented          Number Pending Implementation\n\n\nThe details of our findings and conclusions follow. A draft of this report was sent to the\nRRB and no comments were provided.\n\nCertification and Accreditation\n\nIn FY 2009, the RRB completed actions to ensure that every major application and\ngeneral support system is certified and accredited in accordance with requirements set\nforth by the National Institute of Standards and Technology (NIST). 4 The RRB is\ncontinuing its work to ensure an effective certification and accreditation process.\n\n4\n  NIST requirements for certification and accreditation are presented in Special Publication 800-37, Guide\nfor Applying the Risk Management Framework to Federal Information Systems - A Security Life Cycle\nApproach, February 2010.\n\n\n                                                    3\n\x0cOMB Circular A-130, Appendix III, requires that agency management authorize systems\nfor processing based on a formal technical evaluation of management, operational, and\ntechnical controls. 5 This authorization should be performed at least every three years,\nfollowing an independent review of the security controls. This review of security\ncontrols culminates in a NIST compliant certification and accreditation of the information\nsystem.\n\nIn February 2002, the OIG first reported the need for the RRB to periodically perform\nindependent evaluations of information system security, which leads to an authorization\nfor processing or the certification and accreditation of the information system. In\nFY 2007, the RRB contracted for independent evaluations and NIST compliant\ndocumentation to support a certification and accreditation process. Contractor\nevaluations occurred between FY 2007 and FY 2009.\n\nIn FY 2008, we reported a weakness in the RRB\xe2\x80\x99s process for reviewing contractor\ndeliverables, and noted in FY 2009 that the RRB was not effective in correcting that\nweakness. Due to the ineffective review process for contractor deliverables, we cited\nthe agency with a significant deficiency in the internal control over the certification and\naccreditation process.\n\nThe RRB has started addressing this significant deficiency by conducting a BIS review\nof the FY 2009 contractor deliverables for the mainframe and LAN/PC information\nsecurity review to resolve inaccurate or missing information. Specific controls will need\nto be placed into operation to ensure a consistent and effective certification and\naccreditation review process of documentation prepared by agency employees or\ncontractor personnel.\n\n\nAccess Controls\n\nThe RRB has taken numerous actions to strengthen controls over information system\naccess. They continue to address this significant deficiency.\n\nOMB Circular A-130, Appendix III, defines least privilege as the practice of restricting a\nuser\xe2\x80\x99s access or type of access to the minimum necessary to perform his or her job.\nOther interrelated controls such as separation of duties and user authentication,\nincluding passwords, are used to assure adequate security for all information\nprocessed, transmitted, or stored in Federal information systems.\n\nIn FYs 2000 and 2001, contractors hired by the OIG reported that the RRB did not have\na formal password policy and noted weaknesses in password management including\nthe lack of password complexity, password history files, and poor password encryption\non some information systems.\n\n\n\n5\n    OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources.\n\n\n                                                    4\n\x0cIn February 2002, the OIG reported that passwords were not set to expire for some\nusers and noted that an application displayed an unencrypted administrator password.\nWe also reported numerous other access control deficiencies including poor account\nmanagement, excessive user rights, and an inadequate user reauthorization process.\nDue to the nature and extent of these deficiencies, the OIG reported that the RRB\xe2\x80\x99s\naccess controls were not effective, and cited the agency with a significant deficiency.\n\nSince that time, the RRB has taken numerous steps to strengthen controls over\ninformation system access. For instance, they are developing a formal password policy\nand are working to enforce that policy across all agency platforms. They have\naddressed many account management weaknesses by implementing procedures to\nidentify and remove inactive accounts, unnecessary shared or administrative accounts,\nand accounts of separated employees.\n\nThe RRB has also taken significant steps to ensure least privilege in the LAN\nenvironment. In February 2002, we reported that the RRB was unable to identify or\nproduce a listing of system users. We later found that many of the LAN applications\nwere designed to give excessive rights (to the extent of \xe2\x80\x9cfull control\xe2\x80\x9d) to every user.\nActions taken by the agency to remedy this weakness involved full application rewrites\nand a migration to a newer operating system that allowed the principle of least privilege\nto be applied. Additionally, the agency implemented a three-server environment that\nsegregated LAN systems for development, test, and production, which alleviated\nsegregation of duties weaknesses for systems development staff. These improvements\nwere a major undertaking for the agency and required several years to implement. In\nFY 2009, the RRB was able to conduct its first reauthorization review of LAN user\naccess.\n\n\nPrivacy\n\nThe RRB has implemented several OMB directives on privacy. They continue to\naddress OMB\xe2\x80\x99s privacy-related directives and audit recommendations made by the OIG.\n\nThe Privacy Act requires Federal agencies to protect the privacy interests of individuals\nby placing restrictions on the government\xe2\x80\x99s collection, use, and dissemination of\npersonal information. The E-Government Act of 2002 set forth additional privacy\nprotections when agencies collect, maintain, or disseminate personal information using\ninformation technology. OMB has issued a number of directives to agencies regarding\ntheir responsibilities for safeguarding and protecting this information, and for reporting\ncertain privacy-related actions and reviews performed by the agency. 6\n6\n  OMB Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About\nIndividuals;\nOMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002;\nOMB M-06-15, Safeguarding Personally Identifiable Information;\nOMB M-06-16, Protection of Sensitive Agency Information; and\nOMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\nInformation.\n\n\n                                                5\n\x0cIn response to OMB directives and OIG audit recommendations, the RRB:\n\n   \xe2\x80\xa2   formed two committees, the information security and privacy committee which\n       aids in privacy policy making, and the agency core response group which is\n       responsible for safeguarding against and responding to breaches of personally\n       identifiable information;\n   \xe2\x80\xa2   implemented policies and procedures for general privacy information\n       management;\n   \xe2\x80\xa2   implemented policies and procedures for performing privacy impact\n       assessments when personally identifiable information is collected, maintained, or\n       disseminated using information technology;\n   \xe2\x80\xa2   conducts privacy impact assessments in accordance with the above procedures;\n   \xe2\x80\xa2   issued agency owned laptops with NIST approved encryption to RRB employees\n       who work with personally identifiable information outside of RRB facilities;\n   \xe2\x80\xa2   conducts training on privacy-related responsibilities to the above employees;\n   \xe2\x80\xa2   issued procedures for the identification of contractors who are exposed to\n       personally identifiable information;\n   \xe2\x80\xa2   conducts training on privacy-related responsibilities to the above contractors;\n   \xe2\x80\xa2   revised numerous forms, letters, and other correspondence to eliminate the use\n       of social security numbers;\n   \xe2\x80\xa2   revised several online information systems to eliminate the display of social\n       security numbers; and\n   \xe2\x80\xa2   conducts the necessary reviews of privacy information and records as required\n       by OMB.\n\nThe RRB has implemented a privacy program that addresses the Privacy Act\nrequirements, security breaches involving personally identifiable information, and\nongoing assessments for the impact of using privacy-related information. They continue\nto address other outstanding directives and OIG audit recommendations.\n\n\nRisk Assessment\n\nThe RRB has taken action to ensure NIST compliant risk assessments are developed\nfor every major application and general support system, thus removing a significant\ndeficiency. They continue to address audit recommendations for ensuring the risk\nassessments are complete and accurate.\n\nFISMA requires agencies to develop, document, and implement periodic assessments\nof the risk and magnitude of the harm that could result from the unauthorized access,\nuse, disclosure, disruption, modification, or destruction of information and information\nsystems that support the operations and assets of the agency.\n\nEarly risk assessments prepared by the RRB were designed to provide reasonable\nassurance that the agency accomplished its mission and protected its assets. These\n\n\n                                            6\n\x0crisk assessments were not designed to consider information security control objectives\nand techniques. During FY 2003 and FY 2005, the OIG had recommended that the\nagency implement a formal certification and accreditation process which would include\nsecurity-based risk assessments, and the completion of formal risk assessments in\naccordance with NIST guidance, respectively. In September 2005, we reported that the\nRRB had made little progress in implementing an effective risk assessment process and\ncited the agency with a significant deficiency due to this delay.\n\nFormal NIST compliant risk assessments were prepared in response to the RRB\xe2\x80\x99s\nFY 2007 contract for the certification and accreditation of their major applications and\ngeneral support systems. As a result, we removed this significant deficiency. However,\nour review of the risk assessments prepared by the RRB\xe2\x80\x99s contractor showed that the\nassessments were not complete or accurate with regard to the RRB\xe2\x80\x99s operating\nenvironment. Therefore, existing OIG audit recommendations pertaining to complete\nand accurate risk assessments remain open. The RRB continues to address these\nopen audit recommendations.\n\n\nPolicies and Procedures\n\nThe RRB continues to take action to implement information security and privacy policies\nand procedures.\n\nFISMA requires agencies to develop, document, and implement risk-based policies and\nprocedures that ensure that information security is addressed throughout the life cycle\nof each information system and that ensure compliance with other FISMA requirements,\nincluding minimally acceptable system configuration requirements and the security\ncontrol areas promulgated by NIST.\n\nThe RRB has implemented various policies and procedures to strengthen their\ninformation security and privacy programs. These policies and procedures encompass\nmultiple areas, including systems development, systems configurations, incident\nhandling and response, access control, continuity of operations, and privacy\nmanagement. The RRB continues to address other information security and privacy\nareas that require new or updated policies and procedures.\n\n\nSystem Security Plans\n\nThe RRB has taken action to ensure NIST compliant system security plans are\ndeveloped for every major application and general support system. They continue to\naddress audit recommendations for ensuring that the system security plans are\ncomplete and accurate.\n\nFISMA requires agencies to develop, document, and implement subordinate plans for\nproviding adequate information security for networks, facilities, and systems or groups\n\n\n\n                                            7\n\x0cof information systems. These subordinate plans are otherwise referred to as system\nsecurity plans.\n\nThe RRB has historically maintained system security plans for its major applications and\ngeneral support systems. Occasionally, the OIG has found that the plans require\nrevisions to more accurately reflect the RRB\xe2\x80\x99s operating environment.\n\nSystem security plans were prepared when the RRB contracted for the certification and\naccreditation of its major applications and general support systems in FY 2007.\nHowever, our review of the system security plans prepared by the RRB\xe2\x80\x99s contractor\nshowed that the plans were not complete and were inaccurate with regard to the RRB\xe2\x80\x99s\noperating environment. Therefore, existing OIG audit recommendations for complete\nand accurate system security plans remain open. The RRB continues to address these\nopen audit recommendations.\n\n\nTraining\n\nThe RRB has implemented a security awareness training program that meets the\nrequirements of FISMA for employees and contractors. They continue to address open\naudit recommendations for the specific training needs of some individuals.\n\nFISMA requires agencies to develop, document, and implement a security awareness\ntraining program to inform employees, contractors, and other users of the information\nsystems about the risks associated with their activities and their responsibilities in\ncomplying with agency policies and procedures designed to reduce those risks.\n\nIn February 2002, the OIG cited the agency with a significant deficiency in security\ntraining for key personnel with decision-making responsibilities. In FY 2006, we\nreported that the RRB had implemented a role-based security training curriculum and\nhad provided a substantial portion of the current year\xe2\x80\x99s training plan to employees with\nsignificant security responsibilities. The agency also continued its existing program for\nproviding general security awareness training to full-time employees and contractors.\nAs a result, we removed the significant deficiency in this area.\n\nSince that time, the RRB has consistently ensured annual training to its employees and\ncontractors; however, improvements can be made for specific training needs of certain\nindividuals. The RRB continues to address these training needs.\n\n\nTesting and Evaluation\n\nThe RRB has taken action to ensure tests and evaluations of management, operational,\nand technical controls are performed for every major application and general support\nsystem, thus removing a significant deficiency. They continue to address audit\nrecommendations for performing tests and evaluations for agency information and\n\n\n\n                                            8\n\x0cinformation systems located outside of RRB headquarters, including RRB field offices\nand contractor operations.\n\nFISMA requires agencies to develop, document, and implement annual testing and\nevaluation of the effectiveness of the information security policies, procedures, and\npractices of the agency\xe2\x80\x99s management, operational, and technical controls over\ninformation systems.\n\nIn February 2002, the OIG reported that the RRB was not performing periodic\nevaluations of system security as required by OMB Circular A-130, Appendix III. During\nFY 2003 and FY 2004, we recommended that the agency implement a formal\ncertification and accreditation process, which would include tests and evaluations of\nsystem security controls. In September 2005, the OIG reported that the RRB had made\nlittle progress in implementing a consistent FISMA compliant testing and evaluation\nprocess, and cited the agency with a significant deficiency due to this delay.\n\nFormal tests and evaluations of the management, operational, and technical controls of\nagency major applications and general support systems were prepared in response to\nthe RRB\xe2\x80\x99s FY 2007 contract for the certification and accreditation. As a result, we\nremoved this significant deficiency. However, our review of the test and evaluation\nplans and results showed that the testing did not extend to RRB information systems\nlocated outside of RRB headquarters, including RRB field offices and contractor\noperations. Therefore, additional audit recommendations have been made. The RRB\ncontinues to address these open audit recommendations.\n\n\nRemedial Action Process\n\nThe RRB has begun the process of preparing an agency-wide Plan of Actions and\nMilestones (POAM) to address information security and privacy weaknesses. The RRB\ncontinues work to ensure it is effective in identifying all weaknesses and in prioritizing\ntheir remediation efforts.\n\nFISMA requires agencies to maintain a process for planning, implementing, evaluating,\nand documenting remedial action to address any deficiencies in the information security\npolicies, procedures, and practices of the agency. Additionally, OMB requires each\nagency to develop a formal POAM to identify vulnerabilities in information security and\nprivacy, and to track the progress of corrective action.\n\nBetween FY 2003 and FY 2007, the OIG reported that the RRB\xe2\x80\x99s POAM was\nincomplete and insufficiently detailed to be an effective tool for identifying information\nsecurity and privacy vulnerabilities, and for prioritizing agency plans and efforts to\ncorrect the weaknesses found.\n\nFormal POAMs were prepared for RRB major application and general support systems\nin response to the RRB\xe2\x80\x99s FY 2007 contract for certification and accreditation. These\n\n\n\n                                              9\n\x0cPOAMs, coupled with OIG audit follow-up records, represent the RRB\xe2\x80\x99s agency-wide\nPOAM as required by FISMA. However, our review of the POAMs prepared for the\nmajor application and general support systems showed that they did not reflect the full\nresults of the contractor\xe2\x80\x99s testing, nor were they prioritized by the RRB to ensure timely\nand effective remediation.\n\nThe RRB has begun the process of consolidating the POAMs and allowing the means\nto prioritize the information security and privacy weaknesses. Actions taken to date\nhave not been evaluated by the OIG to determine their overall effectiveness for\nmanaging the agency\xe2\x80\x99s remediation efforts. The RRB continues its work to ensure an\neffective remedial action process.\n\n\nIncident Handling and Reporting\n\nThe RRB has taken numerous actions to strengthen controls over incident handling and\nreporting. They continue to address open audit recommendations in this area.\n\nFISMA requires agencies to develop, document, and implement procedures for\ndetecting, reporting, and responding to security incidents. This includes mitigating risks\nassociated with such incidents before substantial damage is done, notifying and\nconsulting with the Federal Information Security Incident Center (US-CERT), and with\nlaw enforcement agencies (OIG-Office of Investigations (OI)), as appropriate.\n\nAudit reports dating back to FY 2000 have disclosed the need for improvement in the\nRRB\xe2\x80\x99s incident handling and reporting processes. Since that time, the RRB has made\nsignificant progress in establishing a computer emergency response team (RRB-CERT)\nthat is capable of identifying and handling security incidents in a timely manner.\nAdditionally, the RRB has implemented procedures to ensure timely and accurate\nreporting of incidents, both internally to agency management and externally to\nUS-CERT and OIG-OI.\n\nThe RRB now has a comprehensive program that utilizes an array of prevention and\ndetection tools to protect RRB information and information systems. RRB-CERT works\nclosely with the agency core response group when data breaches occur. The RRB\ncontinues to address open audit recommendations and to ensure the effectiveness of\nthis incident response program.\n\n\nContinuity of Operations\n\nThe RRB has implemented a continuity of operations plan that meets the requirements\nof FISMA. They continue to work on some outstanding audit recommendations.\n\n\n\n\n                                            10\n\x0cFISMA requires agencies to implement plans and procedures to ensure the continuity of\noperations for information systems that support the operations and assets of the\nagency.\n\nPast audits dating back to FY 2001 have disclosed the need to improve the RRB\xe2\x80\x99s\ncontinuity of operations by updating the disaster recovery plans to reflect the current\noperating environment and critical business systems. We also recommended additional\ntesting to ensure that critical business systems are scheduled for off-site testing on a\nrotational basis, which would provide assurance that all critical systems can be\nrecovered and become operational in a timely manner. Additionally, we recommended\nthat the RRB schedule their off-site tests to ensure sensitive data is cleared from the\nfacility\xe2\x80\x99s data packs when testing is complete.\n\nThe RRB performs off-site disaster recovery testing twice a year, and has tested all\nmajor applications and general support systems over the past few years. They continue\nto address open audit recommendations for a rotational schedule and for ensuring the\ndata packs are cleared.\n\n\nInventory of Systems\n\nThe RRB has implemented an inventory of major applications in accordance with\nFISMA. They continue to address outstanding audit recommendations for the overall\nimprovement of their information systems inventory.\n\nFISMA requires each agency to develop, maintain, and annually update their inventory\nof major information systems. This inventory is to include an identification of the\ninterfaces between each system and all other systems or networks, including those not\noperated by or under the control of the agency.\n\nIn FY 2002, the OIG reported that the RRB was unable to provide the auditors with a\ncurrent inventory of the agency\xe2\x80\x99s LAN hardware and software. At that time, no audit\nrecommendation was made because the RRB was in the process of implementing a\nnew automated system to support fixed asset management. In FY 2005, we reported\nthat the RRB was maintaining several separate inventories of systems and\nrecommended that they develop an official inventory of the component applications that\ncomprise the major application systems. We also recommended that they identify the\nservers where individual LAN component systems operated, and the security\nadministrators of decentralized component systems.\n\nThe RRB has addressed all three of the above audit recommendations and developed a\nmethod for maintaining the system inventory in accordance with FISMA requirements.\nThey continue to work to improve the procedures and practices for maintaining their\ninformation systems inventory.\n\n\n\n\n                                          11\n\x0c                                                                                Appendix I\n\n              Important Outstanding Audit Recommendations\n\nCertification and Accreditation\n\n   \xe2\x80\xa2   Implement controls to ensure an effective certification and accreditation review\n       process. (OIG Report No. 10-01, #1)\n\nAccess Controls\n\n   \xe2\x80\xa2   Develop controls to ensure that least privilege is applied to the LAN general\n       support system on an ongoing basis. (OIG Report No. 02-04, #20)\n   \xe2\x80\xa2   Develop controls to ensure that workstation connectivity is controlled by a\n       management policy that minimizes risk. Restrict file and folder access and\n       develop controls to maintain the principle of least privilege.\n       (OIG Report No. 02-04 #21; OIG Report No. 08-03 #1)\n   \xe2\x80\xa2   Reduce administrator access privileges, if appropriate. (OIG Report No. 08-03, #2)\n   \xe2\x80\xa2   Prohibit the FFS system administrator from entering, approving, or modifying\n       transactions. (OIG Report No. 09-02, #7)\n   \xe2\x80\xa2   Enforce separation of duties in FFS to prevent employees from approving\n       transactions they have entered. (OIG Report No. 09-02, #8)\n   \xe2\x80\xa2   Implement regular reviews of Medicare options cases for accuracy.\n       (OIG Report No. 09-05, #2)\n   \xe2\x80\xa2   Restrict the Field Service access profile to only those positions that require all\n       system privileges contained in the profile. (OIG Report No. 09-05, #12)\n   \xe2\x80\xa2   Review inactive contractor access accounts, establish contractor system access with\n       an expiration date, and reauthorize annually. (OIG Report No. 09-05, #15 and\n       OIG Report No. 09-06, #4)\n\nPrivacy\n\n   \xe2\x80\xa2   Develop test database without personally identifiable information (PII) for use in\n       system development. (DSD Web, #18)\n   \xe2\x80\xa2   Update current agreements and plan for encryption of data transmitted for state\n       wage match. (OIG Report No. 07-04, #1and #2)\n   \xe2\x80\xa2   Issue agency laptops with encryption software to employees when working at\n       home. (OIG Report No. 07-06, #5)\n   \xe2\x80\xa2   Install mainframe tape encryption for tapes transported off-site.\n       (OIG Report No. 07-06, #7)\n   \xe2\x80\xa2   Develop comprehensive program to ensure physical security of PII.\n       (OIG Report No. 07-09, #1)\n   \xe2\x80\xa2   Ensure all tapes removed from the computer center are properly inventoried.\n       (OIG Report No. 07-09, #9)\n   \xe2\x80\xa2   Establish policy and procedures for: compliance with disposal requirements,\n       equipment sanitation procedures prior to disposal, proper sanitization of\n       damaged hard drives, hard drive physical destruction, and reuse of hard drives.\n       (OIG Report No. 07-09, #3, #14, #15, #17, and #18)\n\n                                            12\n\x0c                                                                                Appendix I\n\n\nPolicies and Procedures\n\n   \xe2\x80\xa2   Develop procedures to identify and refer for correction date of birth\n       discrepancies. (OIG Report No. 07-02, #3)\n   \xe2\x80\xa2   Develop an electronic history of Medicare premium refunds, of tax withholding\n       transactions, and of FAME transactions. (OIG Report No. 07-02, #4;\n       OIG Report No. 07-07, #4; and OIG Report No. 09-03, #7)\n   \xe2\x80\xa2   Develop procedures and controls for emergency programming changes.\n       (OIG Report No. 09-05, #16 and #17)\n   \xe2\x80\xa2   Ensure documented password policy conform to Federal Desktop Core\n       Configuration (FDCC) security configuration. (OIG Report No. 09-05, #18)\n   \xe2\x80\xa2   Develop plans to implement Windows 2003 configuration policy and remove\n       Windows 2000 servers; implement FDCC settings and document FDCC\n       deviations. (OIG Report No. 10-01, #2, #3, and #4)\n\nTesting and Evaluation\n\n   \xe2\x80\xa2   Conduct penetration testing annually. (DSD LAN, #2)\n   \xe2\x80\xa2   Extend test plans to include locations outside of RRB headquarters.\n       (OIG Report No. 07-08, #2)\n   \xe2\x80\xa2   Develop a comprehensive plan for testing agency contractor systems. Perform\n       reviews to determine which RRB contractors are independent information\n       systems. (OIG Report No. 08-05, #3 and OIG Report No. 10-01, #6)\n\nRemedial Action Process\n\n   \xe2\x80\xa2   Ensure that all security weaknesses are included in the agency wide POAM and\n       that the plan demonstrates the prioritization of agency remediation efforts.\n       (OIG Report No. 05-11, #3)\n   \xe2\x80\xa2   Update all privacy weaknesses to the agency wide POAM.\n       (OIG Report No. 07-06, #15)\n\nIncident Handling and Reporting\n\n   \xe2\x80\xa2   Centrally manage all servers and workstations with virus scanning software\n       signatures. (DSD LAN, #3)\n\nContinuity of Operations\n\n   \xe2\x80\xa2   Ensure data packs used in off-site testing are cleared of PII after testing.\n       (OIG Report No. 07-08, #5)\n   \xe2\x80\xa2   Schedule all general support systems and major applications to participate on a\n       rotational basis in the off-site disaster recovery tests. (OIG Report No. 07-08, #6)\n\n\n\n\n                                            13\n\x0c'